Risk Management

Risk Management: Understand Vulnerabilities First

It's easy to see where an organization underspent or overspent in the evaluation and mitigation of risks: there's almost always a point where, in hindsight, the right amount of control is discovered. The solution, according to Peter Spier, is a mix between business minded and technical risk management. The balance helps create a solution that is both cost and needs effective. By using a Common Vulnerability Scoring System (CVSS), an organization can identify “vulnerability access vectors, complexity, authentication requirements, and the potential impact to confidentiality, integrity, and availability.” However, having these security controls in place doesn't make you invulnerable:

For example, suppose a database server is identified as being prone to one or more SQL injection vulnerabilities. It is isolated to a dedicated network segment with established access controls restricting communications to authorized internal hosts and the entirety of network assets protected by host-based and perimeter security controls including, respectively, both anti-virus protection and an intrusion prevention system. While the probability of exploit is arguably contained, the vulnerability remains.

This is one of the reasons why understanding vulnerability is essential: without understanding it is impossible to recognize what will and will not be effective in managing them, what risks will still exist, or what vulnerabilities were not addressed.


Anne Grybowski

Anne is a former staff writer for CAI's Accelerating IT Success, with a degree in Media Studies from Penn State University.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button

We use cookies on our website

We use cookies to give you the best user experience. Please confirm, if you accept our tracking cookies. You can also decline the tracking, so you can continue to visit our website without any data sent to third party services.